Pi-hole as additional ad-firewall and (unbound) DNS within Qubes

I already have a pi-hole running on a SBC. Now, I was wondering if it makes sense and how to setup a pi-hole directly inside Qubes.

My main two questions are

A) what order makes most sense:

  1. firewall > sys-net > pi-hole
  2. firewall > pi-hole > sys-net
  3. pi-hole > firewall > sys-net

and B) what would be the best VM OS and type ?


1 Like

OK, I run pihole for a few VM from this doc with is based on Patrizio work. As I prefer NextDNS but this setup work with every DNS that you can think of.

I use debian-minimal with Networking essentials but setup work with every template.

My setup is kind of

Im not sure why it would make sense. I run a unbound and pihole on a freenas vm and then my router just hands out them with the dhcp-requests to sys-net.

So, you have a AppVM > firewall > pi-hole (freenas vm) > sys-net Qubes setup, correct?

I don’t know either :slight_smile:
It was just an idea since we already have a Qubes firewall onboard … so why not having your own DNS (unbound) … malware, regex blocklists … within Qubes (before transmitting anything to your router).

The RPi pi-hole with its web interface is already doing an awesome job. My main question, is there any advantage / disadvantage to have it running as Qube vs. on a SBC (wrt privacy and security)?

1 Like

@Rooftop concerning your post: Restricting a Qube to selected websites

Here, beside the DNS setup are you also interested in testing a pi-hole setup for black-/white listing of websites? I would love to have this as a standard option(!) for Qubes OS. At least a community doc to simple setup pi-hole in Qubes OS.

Pi-hole offers so much more like RegEx, Punycode and Emoji-Domains blocking and a super nice and easy web interface.

Interest, time?

1 Like

I think there was a guide for that on the Qubes community doc already. Just check that.

There is also this which looks pretty straight forward (but I haven’t tried it - maybe one day…)

How to configure PiHole in QubesOS (ProxyVM).

1 Like

Both guides mentioned used to work. But they stopped working in qubes 4.1 recently. @unman Can you suggest what may be the reason that Pi-hole VM not picking traffic from downstream VMs.

Any success getting this to work? Does anyone have pi hole working in 4.1? Any and all help is appreciated.

theoretically possible
but i haven’t tried yet

1 Like

Thanks… I’ll check it out. Hopefully it is not one of the guides mentioned above that don’t work on 4.1.

A few more links can be found here (I never tried them though):

Essentially however you can follow almost any Linux guide to setup your own DNS server inside a regular appVM and then need to get the Qubes networking right. Admittedly the latter is not so easy - at least I needed ~400 loc for that.

Yeah… that’s by main concern. “loc” = lines of code? Geez. This is not looking good.

Yes, but there you go: GitHub - 3hhh/qubes-dns: DNS VM helper scripts

1 Like

Ive been thinking something similar, except pfSense as the sys-net/sys-firewall.

Not only can pfSense replace you router, and do the same dns holing as pihole, but also offers SNORT intuition detection/prevention (IDS/IPS) which is utilized by cisco themselves. pfSense can route selected traffic over VPN, or act as a VPN server, offers complex firewall policies, aliases, and the built in DNS server seems very good too.